Commit 852b0341 authored by Vincent Pelletier's avatar Vincent Pelletier

http: Stop changing umask.

Instead, use a thread-safe way. Current code using it is not threaded, but
future code will be.
parent af832447
......@@ -44,6 +44,18 @@ _cryptography_backend = default_backend()
BACKUP_SUFFIX = '.sql.caucased'
def _createKey(path):
"""
Open a key file, setting it to minimum permission if it gets created.
Does not change umask, to be thread-safe.
Returns a python file object, opened for write-only.
"""
return os.fdopen(
os.open(path, os.O_WRONLY | os.O_CREAT, 0o600),
'w',
)
class ThreadingWSGIServer(ThreadingMixIn, WSGIServer):
"""
Threading WSGI server
......@@ -179,7 +191,7 @@ def updateSSLContext(
),
),
)
with open(server_key_path, 'w') as crt_file:
with _createKey(server_key_path) as crt_file:
crt_file.write(new_key_pem)
crt_file.write(new_crt_pem)
else:
......@@ -225,13 +237,9 @@ def updateSSLContext(
cas.createCertificate(csr_id)
new_crt_pem = cas.getCertificate(csr_id)
new_key_pem = utils.dump_privatekey(new_key)
old_mask = os.umask(077)
try:
with open(server_key_path, 'w') as crt_file:
crt_file.write(new_key_pem)
crt_file.write(new_crt_pem)
finally:
os.umask(old_mask)
with _createKey(server_key_path) as crt_file:
crt_file.write(new_key_pem)
crt_file.write(new_crt_pem)
ssl_context.load_cert_chain(server_key_path)
if wrap:
https.socket = ssl_context.wrap_socket(
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment